forked from openembedded/openembedded-core
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Backport CVE patches from upstream to fix: CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2022-28733 CVE-2022-28734 CVE-2022-28735 Backport the following 5 patches to make CVE patches be applied smoothly. video-Remove-trailing-whitespaces.patch video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Loading branch information
Showing
11 changed files
with
1,621 additions
and
0 deletions.
There are no files selected for viewing
179 changes: 179 additions & 0 deletions
179
...s-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,179 @@ | ||
| From e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001 | ||
| From: Daniel Axtens <dja@axtens.net> | ||
| Date: Tue, 6 Jul 2021 18:51:35 +1000 | ||
| Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap | ||
| out-of-bounds write | ||
|
|
||
| A 16-bit greyscale PNG without alpha is processed in the following loop: | ||
|
|
||
| for (i = 0; i < (data->image_width * data->image_height); | ||
| i++, d1 += 4, d2 += 2) | ||
| { | ||
| d1[R3] = d2[1]; | ||
| d1[G3] = d2[1]; | ||
| d1[B3] = d2[1]; | ||
| } | ||
|
|
||
| The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, | ||
| but there are only 3 bytes allocated for storage. This means that image | ||
| data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes | ||
| out of every 4 following the end of the image. | ||
|
|
||
| This has existed since greyscale support was added in 2013 in commit | ||
| 3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). | ||
|
|
||
| Saving starfield.png as a 16-bit greyscale image without alpha in the gimp | ||
| and attempting to load it causes grub-emu to crash - I don't think this code | ||
| has ever worked. | ||
|
|
||
| Delete all PNG greyscale support. | ||
|
|
||
| Fixes: CVE-2021-3695 | ||
|
|
||
| Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
|
|
||
| Upstream-Status: Backport | ||
| CVE: CVE-2021-3695 | ||
|
|
||
| Reference to upstream patch: | ||
| https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e623866d9286410156e8b9d2c82d6253a1b22d08 | ||
|
|
||
| Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| --- | ||
| grub-core/video/readers/png.c | 87 +++-------------------------------- | ||
| 1 file changed, 7 insertions(+), 80 deletions(-) | ||
|
|
||
| diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
| index 35ae553c8..a3161e25b 100644 | ||
| --- a/grub-core/video/readers/png.c | ||
| +++ b/grub-core/video/readers/png.c | ||
| @@ -100,7 +100,7 @@ struct grub_png_data | ||
|
|
||
| unsigned image_width, image_height; | ||
| int bpp, is_16bit; | ||
| - int raw_bytes, is_gray, is_alpha, is_palette; | ||
| + int raw_bytes, is_alpha, is_palette; | ||
| int row_bytes, color_bits; | ||
| grub_uint8_t *image_data; | ||
|
|
||
| @@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
| data->bpp = 3; | ||
| else | ||
| { | ||
| - data->is_gray = 1; | ||
| - data->bpp = 1; | ||
| + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| + "png: color type not supported"); | ||
| } | ||
|
|
||
| if ((color_bits != 8) && (color_bits != 16) | ||
| && (color_bits != 4 | ||
| - || !(data->is_gray || data->is_palette))) | ||
| + || !data->is_palette)) | ||
| return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| "png: bit depth must be 8 or 16"); | ||
|
|
||
| @@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data) | ||
| } | ||
|
|
||
| #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
| - if (data->is_16bit || data->is_gray || data->is_palette) | ||
| + if (data->is_16bit || data->is_palette) | ||
| #endif | ||
| { | ||
| data->image_data = grub_calloc (data->image_height, data->row_bytes); | ||
| @@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data) | ||
| int shift; | ||
| int mask = (1 << data->color_bits) - 1; | ||
| unsigned j; | ||
| - if (data->is_gray) | ||
| - { | ||
| - /* Generic formula is | ||
| - (0xff * i) / ((1U << data->color_bits) - 1) | ||
| - but for allowed bit depth of 1, 2 and for it's | ||
| - equivalent to | ||
| - (0xff / ((1U << data->color_bits) - 1)) * i | ||
| - Precompute the multipliers to avoid division. | ||
| - */ | ||
| - | ||
| - const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 }; | ||
| - for (i = 0; i < (1U << data->color_bits); i++) | ||
| - { | ||
| - grub_uint8_t col = multipliers[data->color_bits] * i; | ||
| - palette[i][0] = col; | ||
| - palette[i][1] = col; | ||
| - palette[i][2] = col; | ||
| - } | ||
| - } | ||
| - else | ||
| - grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
| + | ||
| + grub_memcpy (palette, data->palette, 3 << data->color_bits); | ||
| d1c = d1; | ||
| d2c = d2; | ||
| for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3, | ||
| @@ -957,60 +938,6 @@ grub_png_convert_image (struct grub_png_data *data) | ||
| return; | ||
| } | ||
|
|
||
| - if (data->is_gray) | ||
| - { | ||
| - switch (data->bpp) | ||
| - { | ||
| - case 4: | ||
| - /* 16-bit gray with alpha. */ | ||
| - for (i = 0; i < (data->image_width * data->image_height); | ||
| - i++, d1 += 4, d2 += 4) | ||
| - { | ||
| - d1[R4] = d2[3]; | ||
| - d1[G4] = d2[3]; | ||
| - d1[B4] = d2[3]; | ||
| - d1[A4] = d2[1]; | ||
| - } | ||
| - break; | ||
| - case 2: | ||
| - if (data->is_16bit) | ||
| - /* 16-bit gray without alpha. */ | ||
| - { | ||
| - for (i = 0; i < (data->image_width * data->image_height); | ||
| - i++, d1 += 4, d2 += 2) | ||
| - { | ||
| - d1[R3] = d2[1]; | ||
| - d1[G3] = d2[1]; | ||
| - d1[B3] = d2[1]; | ||
| - } | ||
| - } | ||
| - else | ||
| - /* 8-bit gray with alpha. */ | ||
| - { | ||
| - for (i = 0; i < (data->image_width * data->image_height); | ||
| - i++, d1 += 4, d2 += 2) | ||
| - { | ||
| - d1[R4] = d2[1]; | ||
| - d1[G4] = d2[1]; | ||
| - d1[B4] = d2[1]; | ||
| - d1[A4] = d2[0]; | ||
| - } | ||
| - } | ||
| - break; | ||
| - /* 8-bit gray without alpha. */ | ||
| - case 1: | ||
| - for (i = 0; i < (data->image_width * data->image_height); | ||
| - i++, d1 += 3, d2++) | ||
| - { | ||
| - d1[R3] = d2[0]; | ||
| - d1[G3] = d2[0]; | ||
| - d1[B3] = d2[0]; | ||
| - } | ||
| - break; | ||
| - } | ||
| - return; | ||
| - } | ||
| - | ||
| { | ||
| /* Only copy the upper 8 bit. */ | ||
| #ifndef GRUB_CPU_WORDS_BIGENDIAN | ||
| -- | ||
| 2.34.1 | ||
|
|
50 changes: 50 additions & 0 deletions
50
...es-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| From 210245129c932dc9e1c2748d9d35524fb95b5042 Mon Sep 17 00:00:00 2001 | ||
| From: Daniel Axtens <dja@axtens.net> | ||
| Date: Tue, 6 Jul 2021 23:25:07 +1000 | ||
| Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table | ||
| items | ||
|
|
||
| In fuzzing we observed crashes where a code would attempt to be inserted | ||
| into a huffman table before the start, leading to a set of heap OOB reads | ||
| and writes as table entries with negative indices were shifted around and | ||
| the new code written in. | ||
|
|
||
| Catch the case where we would underflow the array and bail. | ||
|
|
||
| Fixes: CVE-2021-3696 | ||
|
|
||
| Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
|
|
||
| Upstream-Status: Backport | ||
| CVE: CVE-2021-3696 | ||
|
|
||
| Reference to upstream patch: | ||
| https://git.savannah.gnu.org/cgit/grub.git/commit/?id=210245129c932dc9e1c2748d9d35524fb95b5042 | ||
|
|
||
| Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| --- | ||
| grub-core/video/readers/png.c | 7 +++++++ | ||
| 1 file changed, 7 insertions(+) | ||
|
|
||
| diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c | ||
| index a3161e25b..d7ed5aa6c 100644 | ||
| --- a/grub-core/video/readers/png.c | ||
| +++ b/grub-core/video/readers/png.c | ||
| @@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) | ||
| for (i = len; i < ht->max_length; i++) | ||
| n += ht->maxval[i]; | ||
|
|
||
| + if (n > ht->num_values) | ||
| + { | ||
| + grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| + "png: out of range inserting huffman table item"); | ||
| + return; | ||
| + } | ||
| + | ||
| for (i = 0; i < n; i++) | ||
| ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; | ||
|
|
||
| -- | ||
| 2.34.1 | ||
|
|
84 changes: 84 additions & 0 deletions
84
...es-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| From 22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 Mon Sep 17 00:00:00 2001 | ||
| From: Daniel Axtens <dja@axtens.net> | ||
| Date: Wed, 7 Jul 2021 15:38:19 +1000 | ||
| Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write | ||
|
|
||
| Certain 1 px wide images caused a wild pointer write in | ||
| grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), | ||
| we have the following loop: | ||
|
|
||
| for (; data->r1 < nr1 && (!data->dri || rst); | ||
| data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
|
|
||
| We did not check if vb * width >= hb * nc1. | ||
|
|
||
| On a 64-bit platform, if that turns out to be negative, it will underflow, | ||
| be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so | ||
| we see data->bitmap_ptr jump, e.g.: | ||
|
|
||
| 0x6180_0000_0480 to | ||
| 0x6181_0000_0498 | ||
| ^ | ||
| ~--- carry has occurred and this pointer is now far away from | ||
| any object. | ||
|
|
||
| On a 32-bit platform, it will decrement the pointer, creating a pointer | ||
| that won't crash but will overwrite random data. | ||
|
|
||
| Catch the underflow and error out. | ||
|
|
||
| Fixes: CVE-2021-3697 | ||
|
|
||
| Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
|
|
||
| Upstream-Status: Backport | ||
| CVE: CVE-2021-3697 | ||
|
|
||
| Reference to upstream patch: | ||
| https://git.savannah.gnu.org/cgit/grub.git/commit/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 | ||
|
|
||
| Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
| --- | ||
| grub-core/video/readers/jpeg.c | 10 +++++++++- | ||
| 1 file changed, 9 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c | ||
| index 579bbe8a4..09596fbf5 100644 | ||
| --- a/grub-core/video/readers/jpeg.c | ||
| +++ b/grub-core/video/readers/jpeg.c | ||
| @@ -23,6 +23,7 @@ | ||
| #include <grub/mm.h> | ||
| #include <grub/misc.h> | ||
| #include <grub/bufio.h> | ||
| +#include <grub/safemath.h> | ||
|
|
||
| GRUB_MOD_LICENSE ("GPLv3+"); | ||
|
|
||
| @@ -699,6 +700,7 @@ static grub_err_t | ||
| grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
| { | ||
| unsigned c1, vb, hb, nr1, nc1; | ||
| + unsigned stride_a, stride_b, stride; | ||
| int rst = data->dri; | ||
| grub_err_t err = GRUB_ERR_NONE; | ||
|
|
||
| @@ -711,8 +713,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) | ||
| return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| "jpeg: attempted to decode data before start of stream"); | ||
|
|
||
| + if (grub_mul(vb, data->image_width, &stride_a) || | ||
| + grub_mul(hb, nc1, &stride_b) || | ||
| + grub_sub(stride_a, stride_b, &stride)) | ||
| + return grub_error (GRUB_ERR_BAD_FILE_TYPE, | ||
| + "jpeg: cannot decode image with these dimensions"); | ||
| + | ||
| for (; data->r1 < nr1 && (!data->dri || rst); | ||
| - data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) | ||
| + data->r1++, data->bitmap_ptr += stride * 3) | ||
| for (c1 = 0; c1 < nc1 && (!data->dri || rst); | ||
| c1++, rst--, data->bitmap_ptr += hb * 3) | ||
| { | ||
| -- | ||
| 2.34.1 | ||
|
|
63 changes: 63 additions & 0 deletions
63
meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| From 3e4817538de828319ba6d59ced2fbb9b5ca13287 Mon Sep 17 00:00:00 2001 | ||
| From: Daniel Axtens <dja@axtens.net> | ||
| Date: Mon, 20 Dec 2021 19:41:21 +1100 | ||
| Subject: [PATCH] net/ip: Do IP fragment maths safely | ||
|
|
||
| We can receive packets with invalid IP fragmentation information. This | ||
| can lead to rsm->total_len underflowing and becoming very large. | ||
|
|
||
| Then, in grub_netbuff_alloc(), we add to this very large number, which can | ||
| cause it to overflow and wrap back around to a small positive number. | ||
| The allocation then succeeds, but the resulting buffer is too small and | ||
| subsequent operations can write past the end of the buffer. | ||
|
|
||
| Catch the underflow here. | ||
|
|
||
| Fixes: CVE-2022-28733 | ||
|
|
||
| Signed-off-by: Daniel Axtens <dja@axtens.net> | ||
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
|
|
||
| Upstream-Status: Backport | ||
| CVE: CVE-2022-28733 | ||
|
|
||
| Reference to upstream patch: | ||
| https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287 | ||
|
|
||
| Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> | ||
|
|
||
| --- | ||
| grub-core/net/ip.c | 10 +++++++++- | ||
| 1 file changed, 9 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c | ||
| index e3d62e97f..3c3d0be0e 100644 | ||
| --- a/grub-core/net/ip.c | ||
| +++ b/grub-core/net/ip.c | ||
| @@ -25,6 +25,7 @@ | ||
| #include <grub/net/netbuff.h> | ||
| #include <grub/mm.h> | ||
| #include <grub/priority_queue.h> | ||
| +#include <grub/safemath.h> | ||
| #include <grub/time.h> | ||
|
|
||
| struct iphdr { | ||
| @@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, | ||
| { | ||
| rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) | ||
| + (nb->tail - nb->data)); | ||
| - rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); | ||
| + | ||
| + if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), | ||
| + &rsm->total_len)) | ||
| + { | ||
| + grub_dprintf ("net", "IP reassembly size underflow\n"); | ||
| + return GRUB_ERR_NONE; | ||
| + } | ||
| + | ||
| rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); | ||
| if (!rsm->asm_netbuff) | ||
| { | ||
| -- | ||
| 2.34.1 | ||
|
|
Oops, something went wrong.